Description

I was able to fool Facebook's Graph Search and bypass privacy restrictions and extract sensitive information about user's applications and pages. I was able to get applications used by any user, regardless of privacy settings set to Only Me and also I was able to get Pages liked by user, regardless of privacy settings set to Only Me

For example, I was able to see applications used by Mark Zuckerberg despite of privacy settings set.

What is Facebook Graph Search and How it works?

Facebook Graph Search is SMART search tool developed by Facebook and Google developers who joined Facebook. It was an innovation as it allowed people to see what their Friends are doing. And these things aren't possible using traditional Google search.

Graph Search Internal Working

Graph Search simply works on Set Theory. So, it is possible to fire queries which adhere to Set Theory and are successfully executed and make the search engine return result set back.

For eg,
A = {1,2,3}
B = {2,3,7}

Then,
Intersection = {2,3}
Union = {1,2,3,7}

This works same in Graph Search.

A similar bug found by "Philippe Harewood" ---> "Abusing Facebook Graph Search using GraphQL". This bug gave me initial idea. He has exploited Graph Search directly using GraphQL whereas, I tried to abuse it directly on website.

Proof Of Concept

Getting applications of any random user.

Intersection of two sets was handled properly and didn't show any private information using privacy Only Me or other.

This returned me few applications which were used by me or Mark Zuckerberg. I demonstrated this vulnerability on my test accounts.

Getting Pages liked by user.

On user profile, a user is allowed to like pages which are of categories Apps and games, Movies, Tv shows, Music, Books, Sports, etc. Now, these pages are sorted according to categories and are addressed as individual elements. Books, Music, Sports are different entities and each entity has an option of privacy; an user can select any privacy for any entity.
eg. I visited this page (https://www.facebook.com/pranavhivarekar.hacker/games?pnref=lhc) and it showed me all sections and I was able to set different privacy to different sections and individual elements.

So, here I was able to extract any user's personal information. It included Books he/she read, Movies he/she watched, etc. All the personal information was available via Graph Search, regardless of privacy settings.

To check whether a Tv show was liked by me. I used my another test account and fired the following query. My privacy settings for that page were set to Only Me.